The first method is the easiest: LDAPS is automatically enabled when
you install an Enterprise Root CA on a Domain Controller. If you
install the AD-CS role and specify the type of setup as “Enterprise”
on a DC, all DCs in the forest will be automatically be configured to
accept LDAPS.

Is that true? If I install certificate services on a single DC all DCs in the domain accept LDAPS? Do they all automatically enroll for certificates or are all LDAPS requests directed back to the DC with the root ca installed? What happens if I uninstall the root ca from the DC?

I have to enable ldaps, if I just install a root CA on a DC am I done?

I understand the security implications but for my small environment this would be the preferable path.

1 Answer
1

The General Answer

In a standard Active Directory integrated Certificate Authority installation your domain controllers will be issued a certificate based on the Domain Controller certificate template which includes the Server Authentication OID as an Intended Purpose. Any valid certificate containing this OID will automatically get picked up and bound for LDAPS (:636) by the Schannel service.

Removing this certificate, or lacking a proper Server Authentication certificate, will cause Warning events to get logged within the Event Viewer's Security log each second under the Schannel source.

Subject Alternate Name Support

A common caveat is needing proper Subject Alternate Name support for LDAPS certificates. The default Domain Controller certificate template does not include certificate SAN names. If you have domain.com with domain controllers named dc1.domain.com and dc2.domain.com, then LDAPS (:636) calls to domain.com will be returned using the certificate of the responding domain controller (dc1.domain.com or dc2.domain.com). Many applications and protocols will treat this as a security threat and error out.

Enabling SAN Support for LDAPS

Revoking and removing the standard issued Domain Controller certificate on the domain controllers.

Open certificate.cer to see the certificate Schannel/LDAPS is presenting.

If I Use LDAPS (:636) Can I Block All LDAP (:389) Traffic?

Yes and no. Yes; you can block LDAP (:389) on all North-South traffic (between internal and external). No; you cannot block LDAP (:389) on East-West traffic (between internal and internal). LDAP (:389) is crucial to certain replication functions in Active Directory. These activities are secured using Kerberos' Signed and Sealed.

Apologies for a lack of precise steps or screenshots. I'm not in an environment from which to supply them at this moment.